Hi I am developing a link to Twitter from a desktop application - it's a client/server application that runs on Windows. We have many clients using the software, each with anywhere from 1 to several hundred users. The brief is to allow an administrator to enter one or more Twitter accounts in to the database so that the individual users can post updates to any of the accounts without having to know the authentication details.
We have permanent xAuth access token exchange with the Twitter API. When a client administrator enters a Twitter account in to the database, they will enter the user name and password - my code will then immediately hit the API and exchange these for an access token which will then be stored in the database ready to be used when a user wants to post a status update. Trouble is I am having some problems with the http call that exchanges a user name and password for an access token, so any help and advice would be appreciated. I am developing in Delphi 7 but the https calls are made from a C# .NET 2.0 ComVisible class library which uses WebRequest/WebResponse. I am also using Fiddler 2 to view the traffic. Ok, an example. Here is my base signature (if I have the terminology correct) - I have obfuscated any sensitive data: POST&https%3A%2F%2Fapi.twitter.com%2Foauth %2Faccess_token&oauth_consumer_key%3DXXXXXXXXXXXXXXXXXXXX%26oauth_nonce %3DFTV8pi3ScCaYbkNkEHcdTqHHPPy6F3FpG8VHK2tv%26oauth_signature_method %3DHMAC-SHA1%26oauth_timestamp%3D1278669373%26oauth_version %3D1.0%26x_auth_mode%3Dclient_auth%26x_auth_password%3DXXXXXXXX %26x_auth_username%3DXXXXXXXXXXXXX I then create the signature of this using HMAC SHA1 and the Twitter xAuth signing secret which gives me: b5d979ead19f4111b6e5b4db49aee893a2ccb30d Finally I create my Authorisation header for the http request which comes out like this: Authorization: OAuth oauth_consumer_key="XXXXXXXXXXXXXXXXXXXX", oauth_nonce="FTV8pi3ScCaYbkNkEHcdTqHHPPy6F3FpG8VHK2tv", oauth_signature="b5d979ead19f4111b6e5b4db49aee893a2ccb30d", oauth_signature_method="HMAC-SHA1", oauth_timestamp="1278669373", oauth_version="1.0" Now, if I am correct I am ready to post (to https://api.twitter.com/oauth/access_token) so I add the header but I am unclear as to whether I need to post the base signature string with it or whether this is discarded once the Authorisation header has been created, so I have tried both. The header is sent in each request but one request also sends the base signature in the SendStream where as the other request posts no data at all (but has the header). Header only returns an error: The remote server returned an error: (401) Unauthorized Header and data returns an error: The remote server returned an error: (417) Expectation Failed The second call (header and data) is interesting because when you view the traffic in Fiddler 2 I see the following headers: Cookies / Login Authorization: OAuth oauth_consun=mer_key="............. Entity Content-Length: 337 Content-Type: application/x-www-form-urlencoded Transport Connection: Keep-Alive Expect: 100-continue Host: api.twitter.com and yet looking at the response: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"> <html><head> <title>417 Expectation Failed</title> </head><body> <h1>Expectation Failed</h1> <p>The expectation given in the Expect request-header field could not be met by this server.</p> <p>The client sent<pre> Expect: 100-continue </pre> but we only allow the 100-continue expectation.</p> </body></html> So a 100-continue was sent which is the only thing allowed and yet it is complaining about it?! As I mentioned, any help or advice would be very welcome. Regards Craig
